Cyber attacks cost UK businesses £18 billion in lost revenue and £16 billion in increased IT spending per year as a result of breaches. And the issue is widespread, 81 percent of UK businesses reported a breach in 2014. Register today for this free webcast to find out more as we discuss..

Following the outstanding success of our 2015 event, SC Congress is returning to London on 10 February 2016. Join hundreds of your information security colleagues to hear the latest news and analysis and to experience the latest solutions in cyber-security. Register today for free.

Human error, zero-day targeted attacks make up latest SANS Top 20

Few would dispute the powerful link between social engineering and the success of a cyberattack in today's financially-driven threat landscape. So now, for the first time, the SANS Institute has named human error to its twice-annual Top 20 Internet Security Attack Targets list, a line-up that, until now, was reserved solely for technology.

Rohit Dhamankar, editor of the report, released this morning, said targeted social engineering attacks, known as spear phishing, are becoming more common across organizations, particularly military entities and government agencies. In these cases, for example, employees might receive an email claiming to come from the CEO but that instead contains a malicious link.

If an end user falls for the scheme, often times his or her machine winds up as part of a botnet, he said.

"It's targeted against specific organizations to get specific information," Dhamankar, who works as senior manager of security research at TippingPoint, told SCMagazine.com on Tuesday. "The weakest link is now being targeted. It's the end user falling for one of these emails."

Technology vulnerabilities still ruled the remainder of the Top 20 list. Included among them is a surge in exploits targeting web applications and non-Internet Explorer applications, such as Microsoft Office.

"Two years ago, hackers were targeting more servers which were administered by system administrators who are pretty well versed in security," Amol Sarwate, manager of the vulnerability research lab at Qualys, told SCMagazine.com today. "But now they are targeting client-side vulnerabilities…targeting common users who are not that security savvy."

But faster patching within organizations means cybercriminals are getting even craftier in their discoveries, thus giving rise to zero-day exploits.

"Automated patching is becoming more and more common," Dhamankar said. "There used to be a window of exploitation available for hackers but now…people are all patched. For a hacker to compromise a system, he has to have something which isn't patched yet."

Other notable threats mentioned in the latest list, previously named the Top 20 Internet Security Vulnerabilities, include a rise in voice over internet protocol (VoIP) attacks.

The report also called attention to the increased risk organizations face when employees connect unauthorized devices, such as iPods or memory sticks, to the network, Dhamankar said. This can not only allow for the spread of malware but also opens the risk of employees either maliciously or accidentally walking out with confidential company information.

"All the person has to do is walk in with a USB drive and go," he said. "You don't need any fancy network-based data transfer solutions."

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.